Module: Msf::Exploit::Remote::HTTP::SitecoreXp

Includes:

Msf::Exploit::Remote::HTTP::Sitecore::Error, Msf::Exploit::Remote::HttpClient

Defined in:

lib/msf/core/exploit/remote/http/sitecore_xp.rb

Instance Attribute Summary

Attributes included from Msf::Exploit::Remote::HttpClient

#client, #cookie_jar

Instance Method Summary

• #get_identity_cookies ⇒ Object
• #get_version ⇒ Object
• #initialize(info = {}) ⇒ Object
• #login_identitysrv(username, password) ⇒ Object

  Identifies against identity server.

Methods included from Msf::Exploit::Remote::HttpClient

#basic_auth, #cleanup, #configure_http_login_scanner, #connect, #connect_ws, #deregister_http_client_options, #disconnect, #download, #full_uri, #handler, #http_fingerprint, #lookup_http_fingerprints, #normalize_uri, #path_from_uri, #peer, #proxies, #reconfig_redirect_opts!, #request_opts_from_url, #request_url, #rhost, #rport, #send_request_cgi, #send_request_cgi!, #send_request_raw, #service_details, #setup, #ssl, #ssl_version, #sslkeylogfile, #strip_tags, #target_uri, #validate_fingerprint, #vhost

Methods included from Kerberos::ServiceAuthenticator::Options

#kerberos_auth_options

Methods included from Kerberos::Ticket::Storage

#kerberos_storage_options, #kerberos_ticket_storage, store_ccache

Methods included from Auxiliary::LoginScanner

#configure_login_scanner

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Instance Method Details

#get_identity_cookies ⇒ Object

# File 'lib/msf/core/exploit/remote/http/sitecore_xp.rb', line 50

def get_identity_cookies
  res = send_request_cgi({
    'method' => 'POST',
    'uri' => normalize_uri('identity', 'externallogin'),
    'vars_get' => {
      'authenticationType' => 'SitecoreIdentityServer',
      'ReturnUrl' => '',
      'sc_site' => 'admin'
    },
    'keep_cookies' => true
  })
  return false unless res&.code == 302

  location_target = res.headers.fetch('Location', nil)

  return false unless location_target

  location_target =~ %r{://([a-zA-Z0-9._]+)/}
  identity_vhost = Regexp.last_match(1)
  proto = datastore['ssl'] ? 'https' : 'http'
  identity_uri = location_target.sub("#{proto}://#{identity_vhost}", '')

  res = send_request_cgi!({
    'method' => 'GET',
    'uri' => identity_uri,
    'vhost' => identity_vhost,
    'keep_cookies' => true
  })

  return false unless res&.code == 200

  hidden_inputs = res.get_hidden_inputs

  res = send_request_cgi({
    'method' => 'POST',
    'uri' => normalize_uri('identity', 'signin'),
    'vars_post' => hidden_inputs[0],
    'keep_cookies' => true
  })
  return false unless res&.code == 302

  res = send_request_cgi({
    'method' => 'GET',
    'uri' => normalize_uri('identity', 'externallogincallback'),
    'vars_get' => {
      'ReturnUrl' => '',
      'sc_site' => 'admin',
      'authenticationSource' => 'Default'
    },
    'keep_cookies' => true
  })

  res&.code == 302 && res.headers.fetch('Location', nil)&.include?('sitecore/admin')
end

#get_version ⇒ Object

# File 'lib/msf/core/exploit/remote/http/sitecore_xp.rb', line 105

def get_version
  res = send_request_cgi({
    'uri' => normalize_uri('sitecore', 'shell', 'sitecore.version.xml'),
    'method' => 'GET'
  })
  return nil unless res&.code == 200 && res.body.include?('<version>')

  xml_document = res.get_xml_document

  major_version = xml_document.at('information//version//major').text
  minor_version = xml_document.at('information//version//minor').text
  build_version = xml_document.at('information//version//build').text

  return Rex::Version.new("#{major_version}.#{minor_version}.#{build_version}")
end

#initialize(info = {}) ⇒ Object

# File 'lib/msf/core/exploit/remote/http/sitecore_xp.rb', line 9

def initialize(info = {})
  super
  register_options([OptString.new('IDENTITY_VHOST', [true, 'Hostname of Sitecore identity server']) ])
end

#login_identitysrv(username, password) ⇒ Object

Identifies against identity server. The Sitecore XP uses separate vhost to authenticate and gain session cookies.

Raises:

• (UnexpectedReplySitecore)

# File 'lib/msf/core/exploit/remote/http/sitecore_xp.rb', line 17

def login_identitysrv(username, password)
  res = send_request_cgi({
    'uri' => normalize_uri(target_uri.path, 'Account', 'Login'),
    'method' => 'GET',
    'vhost' => datastore['IDENTITY_VHOST'],
    'keep_cookies' => 'true'
  })

  raise UnexpectedReplySitecore unless res&.code == 200

  hidden_inputs = res.get_hidden_inputs

  verification_token = hidden_inputs.dig(0, '__RequestVerificationToken')

  res = send_request_cgi({
    'method' => 'POST',
    'uri' => normalize_uri(target_uri.path, 'Account', 'Login'),
    'vhost' => datastore['IDENTITY_VHOST'],
    'vars_post' => {
      'Username' => username,
      'Password' => password,
      '__RequestVerificationToken' => verification_token,
      'ReturnUrl' => '',
      'AccountPrefix' => 'sitecore\\',
      'button' => 'login',
      'RememberLogin' => 'false'
    },
    'keep_cookies' => true
  })

  res&.code == 302 && !res.get_cookies.blank?
end